Naavi.org

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of  the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

PDPSI is a standard for a “Techno Legal Compliance”. Hence the controls under PDPSI go beyond the usual technical controls such as the Firewalls, IDS systems, Access Control, Encryption etc.

The Legal controls include the policy documents such as the Privacy Policy, the Sanction policies in the HR arena etc.

Additionally it is important for us to recognize that most organizations use outsourcing for many of their activities and are also themselves the sub contractors for certain data processing activities.

The regulatory framework envisages that the entire eco-system of personal data processing needs to be accountable for meeting the regulatory compliance requirements. As a result of this, every organization has a liability to its upstream data provider and imposes liabilities to the down stream data processors. These transfer of responsibilities occur through the business contracts. 

Most of the time the business contracts stop at defining the service requirements and the financial commitments. But in the current regime of data protection, the “Information Security” obligations also need to be defined as a part of such contracts. Thus a Data Collector (First Data Controller) collects personal information under a consent contract, hand over the information to a secondary data controller who in turn hands it over to the data processor etc.. all through business contracts.

Hence every organization processing data will have several business contracts which may have prescriptions of its data processing liabilities. It is therefore necessary for the DPO to understand such obligations and factor it into his activities.

Most of the time these business contracts  are executed by business executives without adequate consideration of the information security requirements. Hence the DPO needs to ensure that his requirements are well understood by the business executives so that every contract is “Compliance Ready”.

Assuming that the business executives do execute such contracts, it is the responsibility of the DPO to keep track of the inventory of “Data Protection Liabilities” arising out of these contracts and monitor changes that may occur from time to time. 

Some times there would be difficulties in implementing these requirements and notices of compromise may have to be exchanged. All such requirements need to be documented for the purpose of compliance.

PDPSI therefore expects that the subject company has a robust policy where every contract signed in the name of the company is brought on record, serially numbered and the obligations undertaken are duly taken note of for compliance throughout the life cycle of the contract.

(To Be continued)

Naavi

Other Reference Articles

1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
2. Data Protection Standard of India- (DPSI)
3. Data Classification is the first and most important element of PDPSI
4. Why 16 types of Data are indicated in PDPSI?
5. Implementation Responsibility under Personal Data Protection Standard of India
6. India to be the hub of International Personal Data Processing…. objective of PDPSI
7. Principles of PDPSI
8. Pentagon Model of TISM…An implementation approach to PDPSI implementation
9. Personal Data Gate Keepers and Internal Data Controllers in Organizations
10. Legitimate Interest Policy
11. Implement “My Bhi Chowkidar” policy for Personal Data Protection.
12. Criticality of the Grievance Redressal Mechanism in PDPSI
13. Data Breach Notification-What PDPSI expects
14. Naavi’s Data Trust Score model unleashed in the new year
15. Naavi’s 5X5 Data Trust Score System…. Some clarifications
16. Naavi’s Data Trust Score Audit System…allocation of weightages

This article posted on April 15, 2019 had been deleted in a server crash.

It has now been substituted with a new article here

Naavi

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of  the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

Data Breach Notification is an important responsibility cast on any data processor under every Data Protection regulation. 

Whenever a Data breach occurs, the Data Controller/Processor/Data Fiduciary need to report it to the regulatory authority within a certain time limit and with a certain amount of details. A failure in reporting itself is a serious non compliance issue. Even when the data breach victims may not have any compensation to claim, the regulatory authority may impose a heavy fine on the organization for the data breach and with an exalted penalty if the breach notification is delayed. 

Under GDPR (Article 33) a data controller should report a breach within 72 hours to the supervisory authority. A Data Processor should report the breach to the data controller “without undue delay” after becoming aware of a personal data breach. 

Under PDPA 2018, (Section 32) the time limit specification is left to the DPA to notify when the DPA comes into existence. 

In the meantime, ITA 2000/8 under Section 79 prescribes “Due Diligence”, time for initiating a grievance redressal mechanism has been prescribed as 36 hours and time for taking down of disputed information upon receipt of an order from a competent authority would be considered as “Immediate”.  Under rule 3(9) of the Intermediary guidelines of 2011, it was mentioned that the intermediary shall report the cyber security incidents to the CERT-IN. But no specific time was specified.

The CERT In separately gave out a notification in which details of what to be reported has been indicated. The time for reporting has to be within a “Reasonable Period”. Apart from this, sectoral regualtors like RBI expect Banks to report incidents to them for which they may prescribe different time limits.

All the regulations normally provide that a provisional report can be made immediately and progress reports can be filed later. GDPR provides  that report should be made to the Data Subjects also. Some regulations like HIPAA require reporting through news paper advertisements and websites. 

While we await the DPA of India to provide the time limits for data breach notification, it is necessary for us to recognize that it is not the time and content which are important for a Data Breach report. This is easy to define in a “Data Breach Notification Policy” which every organization should develop as a part of the control. This is also required under PDPSI.

However, since PDPSI attempts to provide a Data Trust Score (DTS), it is essential for the auditor to assess the quality of the data beach notification policy. If it contains only what is to be reported, to whom and when, it would not be considered an adequate policy.

We must understand that a “Wrong Data Breach Notification” would be disastrous for a company from the point of view of reputation loss and hence before classifying an event as a “Breach” some discretion has to be applied. This is the most difficult part of a DPO’s responsibility since some regulations like GDPR expects the DPO to be directly responsible to the supervisory authority and non-reporting could be a “Breach of Trust” for the DPO. 

Security professionals however know that after a breach occurs, it takes time for it to be detected. First it would be a suspicion and then after a preliminary investigation, suspicion becomes confirmed as a “Breach incident”. Within this time there may be a need for an internal investigation if necessary with forensic intervention. The DPO may not be fully in control of this time frame and the delay could expose him to non compliance charge from the supervisory authority. 

In order to ensure that the DPO is not exposed to unintended consequences during such internal deliberation, the “Data Breach Notification Policy” should clearly establish how a breach will be recognized, evaluated and classified. If the company has a “Whistle Blower Policy”, the data breach recognition commences with the initial whistle blower’s report. The” Incident Management Policy” should also be integrated with the Data Breach notification policy since the reported incident after being resolved, needs to be evaluated as to its classification as a “Breach”.

Additionally, all regulations provide that certain law enforcement agencies have the power to demand information and not providing information when law requires it to be provided has its own penal consequences.

Hence every organization should develop a “Data Disclosure Policy” which addresses the issues of how to respond to a “Data Disclosure Requirement”. Such request can come from a data subject or a police officer or a supervisory authority or a DPA etc. While the law may be clear on who  has the right to ask for the information and it is easy to incorporate in the policy, the difficult part is to establish the identity of the person who is requesting the information.

Any disclosure to a wrong person would become a “Data Breach” and hence the “Data Disclosure Policy” has to be aligned to the “Data Breach Notification policy”, which should also be aligned with the whistle blower policy and incident management policy. To the extent that the first report of a data breach goes to the call center employee, the awareness of how to escalate a complaint to a potential incident report should be available to all the call center employees and the perimeter level personnel who interact with customers.

PDPSI requires the quality of a data breach notification policy to be assessed so that a proper DTS can be assigned.

(To Be continued)

Naavi

Other Reference Articles

1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
2. Data Protection Standard of India- (DPSI)
3. Data Classification is the first and most important element of PDPSI
4. Why 16 types of Data are indicated in PDPSI?
5. Implementation Responsibility under Personal Data Protection Standard of India
6. India to be the hub of International Personal Data Processing…. objective of PDPSI
7. Principles of PDPSI
8. Pentagon Model of TISM…An implementation approach to PDPSI implementation
9. Personal Data Gate Keepers and Internal Data Controllers in Organizations
10. Legitimate Interest Policy
11. Implement “My Bhi Chowkidar” policy for Personal Data Protection.
12. Criticality of the Grievance Redressal Mechanism in PDPSI
13. Naavi’s Data Trust Score model unleashed in the new year
14. Naavi’s 5X5 Data Trust Score System…. Some clarifications
15. Naavi’s Data Trust Score Audit System…allocation of weightages

This article posted on April 14, 2019 had been deleted in a server crash.

It has now been substituted with a new article here

Naavi

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of  the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

The essence of any Information Privacy Regulation such as GDPR or PDPA is to ensure that the “Privacy Rights” guaranteed by the Constitution of the country for its citizens are not infringed while the  personal information is processed in electronic form. All processors of such data are “Intermediaries” under the present law in India (ITA 2000/8) and responsibilities are hoisted on them for appropriately securing such data failing which  there could be liabilities.

One of the security provisions that ITA 2000/8 has prescribed is that there has to be accountability of the intermediary by designating a “Grievance Redressal Officer” whose contact details are to be provided on the websites.

The PDPA/GDPR speaks of the same accountability in the form of a need to appoint a DPO who is expected to be both a proactive compliance manager as well as the first contact point for an aggrieved data subject.

The role of a Grievance Redressal Officer is slightly different from a “Compliance Officer”  in the sense that his responsibility kicks in after a grievance is reported. If he is the same person who is also the compliance officer, then there would be a conflict of interest as he turns defensive if any grievance points to a flaw in the system.

Hence it may be necessary from the PDPSI point of view that the roles of the Compliance officer and the Grievance Redressal Officer are suitably segregated.  There is nothing wrong if the compliance officer is the first reference point for a grievance since he has the knowledge of what has gone wrong. But the dispute resolution should be escalated at the earliest to another level where there is no conflict of interest.

Having an effective Grievance Redressal Mechanism is therefore a critical element of PDPSI.

PDPA 2018 does make a specific mention of  Grievance Redressal under section 39 of the draft Bill. A 30 day time is provided for the grievance to be addressed after which the data principal may invoke the adjudication process of the DPA, followed by the appeal to the designated Tribunal and thereafter to the Court of appropriate jurisdiction. (Could be the Supreme Court).

GDPR makes only a vague mention of Grievance Redressal under Article 40 as a part of the code of conduct.

Under PDPSI, it is recognized that the ultimate benefit that a Data Subject expects is a proper grievance redressal and hence it is an essential control that an organization should institute and manage.

Naavi has been advocating that the grievance redressal mencahism should go through the following three stages namely

a) Service level attention by the DPO

b) Ombudsman who is an independent person of repute to whom the complaint can be referred

c) Mediation which could be an extended responsibility handled by the Ombudsman or separately.

It would be ideal if this is followed by an “Arbitration” so that before the statutory process of adjudication is invoked, all remedies available as alternative dispute resolution mechanisms are exhausted.

Since time is the essence of such resolution, an “ODR mechanism” of the type referred to under www.odrglobal.in is recommended.

The service level resolution can be provided within 48 hours and Ombudsman views can be provided within 7 days so that in the first 10 to 15 days, the matter could be ready for “Mediation” for which another 15 days could be provided. Thus within one month, the mediation option would be exhausted and the parties may decide if they have to straightaway go to the adjudicator or exhaust the arbitration.

At present, it appears that 30 days is just sufficient to complete the mediation efforts and also that “Adjudication” being a statutory remedy provided, even if the parties go through the process of “Arbitration”, it would be subordinate to the Adjudication process.

But making a provision for arbitration if necessary with a report to the Adjudicator would be a good idea for an organization to think off.

Naavi has in commenting on the “Intermediary Guidelines”  suggested that just as in the case of Domain Name disputes where we use UDRP/INDRP as a self regulatory mechanism, we can consider an “Intermediary Dispute Resolution Policy” and an associated arbitration process to resolve the disputes arising between the user of an internet service and the intermediary.

A similar mechanism could work even in the PDPA scenario if the Grievance Redressal Mechansim is properly structured and implemented.

In view of the above the DTS system encourages the Data Auditors to consider the presence of an effective Grievance Redressal mechanism as part of the scoring evaluation.

It is therefore considered that under PDPSI, the presence of a Grievance Redressal mechanism and its evaluation is considered critical from the point of view of Data protection by a Data Fiduciary/Data Controller/Data Processor.

(To Be continued)

Naavi

Other Reference Articles

1. A Step beyond BS10012 and GDPR-Personal Data Protection Standard of India-PDPSI
2. Data Protection Standard of India- (DPSI)
3. Data Classification is the first and most important element of PDPSI
4. Why 16 types of Data are indicated in PDPSI?
5. Implementation Responsibility under Personal Data Protection Standard of India
6. India to be the hub of International Personal Data Processing…. objective of PDPSI
7. Principles of PDPSI
8. Pentagon Model of TISM…An implementation approach to PDPSI implementation
9. Personal Data Gate Keepers and Internal Data Controllers in Organizations
10. Legitimate Interest Policy
11. Implement “My Bhi Chowkidar” policy for Personal Data Protection.
12. Naavi’s Data Trust Score model unleashed in the new year
13. Naavi’s 5X5 Data Trust Score System…. Some clarifications
14. Naavi’s Data Trust Score Audit System…allocation of weightages

Dear Friends

It appears that due to a server crash at my hosting services, several postings I had made since April 13th have been lost.

These related mainly to PDPSI. I may try to provide a summary of some of the postings subsequently.

However, in case any of the readers have a copy of my postings since April 13th,  please send them to me through e-mail, while I continue to get the recovery done through the hosting provider.

Following four articles were lost due to the server crash.

https://www.naavi.org/wp/business-agreement-control-an-essential-ingredient-of-pdpsi/ (Substituted with a new post)

https://www.naavi.org/wp/pdpsi-controls-data-breach-notification-and-data-disclosure-policies/ (Substituted with a new post)

https://www.naavi.org/wp/pdpsi-controls-grievance-redressal-mechanism/ (Substituted with a new post)

https://www.naavi.org/wp/if-state-government-turn-rogue-misuse-of-aadhaar-data-cannot-be-prevented/

We shall re-post the essence of these articles separately.

Naavi